[0.1.4] - 2026-03-08

Added

• MCP server — ca9-mcp exposes ca9 as an MCP tool server with check_reachability, scan_dependencies, check_coverage_quality, and explain_verdict tools. Install with pip install ca9[mcp].
• API call site coverage — when coverage data is available, ca9 now checks whether specific vulnerable API call sites were executed in tests, not just whether the package was executed.
• Coverage completeness weighting — confidence scoring now factors in overall test coverage percentage. High coverage (80%+) makes dynamic absence signals more trustworthy; low coverage reduces their weight.
• Coverage completeness in evidence — coverage_completeness_pct field added to the Evidence model, surfaced in JSON/SARIF output.
• 34 new tests (349 total).

Changed

• Verdict precision for API calls — when vulnerable API calls are found but call sites are not executed in tests, verdict is now INCONCLUSIVE instead of REACHABLE.
• Code cleanup — removed inline ternary expressions across parsers, scanner, CLI, and report modules for readability.
• Removed AI-generated comments — stripped redundant phase comments and docstrings from engine.

Fixed

• Dead code in _api_usage_boost — ternary assignment was immediately overwritten by an identical if/else block.
• Report column width — deduplicated repeated if/else blocks for table column width calculation.

[0.1.3] - 2026-03-04

Added

• Vulnerability intelligence layer — 21 curated rules across 6 packages (Django, Jinja2, PyYAML, requests, urllib3, Werkzeug) mapping advisories to 46 vulnerable API targets.
• API-level reachability — AST-based scanner detects actual calls to vulnerable functions/classes/methods, not just package imports. Resolves aliased imports, attribute chains, and from X import Y patterns.
• API evidence in verdicts — JSON/SARIF output now includes api_targets, api_usage_seen, api_usage_hits (with file, line, snippet), and intel_rule_ids.
• API-driven verdict upgrades — finding vulnerable API calls can upgrade a verdict to REACHABLE even without coverage data.
• API-aware confidence scoring — API usage boosts reachable confidence (+10–15), strengthens unreachable when no usage found (+8), penalizes contradictions.
• 46 new tests (315 total).
• Evidence model — every verdict now carries structured evidence (version range, import status, dependency kind, coverage, affected component source/confidence).
• Confidence scoring — verdict-aware 0-100 confidence score. Signals boost or penalize depending on whether they support the verdict direction.
• Affected component inference — commit analysis, curated mappings, regex extraction, and class name resolution each produce confidence-scored component matches.
• OSV caching — vulnerability details cached to ~/.cache/ca9/osv/ with 24h TTL. Commit file lists cached to ~/.cache/ca9/commits/ with 7-day TTL.
• Concurrent OSV fetches — ThreadPoolExecutor for parallel vulnerability detail lookups (--max-osv-workers, default 8).
• Offline mode — --offline flag returns results from cache only, no network requests.
• --refresh-cache — clears OSV cache before fetching.
• --show-confidence — display confidence score in table output.
• --show-evidence-source — display evidence extraction source in table output.
• SARIF fingerprints — stable ca9/v1 fingerprints based on (vuln_id, package, version, verdict).
• SARIF/JSON evidence — confidence score and full evidence object included in SARIF properties and JSON output.
• GitHub token support — GITHUB_TOKEN env var for commit fetch rate limit mitigation.
• 55 new tests (260 total).

Changed

• PEP 440 version parsing — replaced naive tuple-based comparison with packaging.version.Version. Handles pre-releases, post-releases, dev releases, epochs, and local versions correctly.
• Parser deduplication — widened dedupe key from vuln_id to (vuln_id, package_name, package_version). Same CVE across different packages is now preserved.
• Engine refactored to evidence-first — collect_evidence() gathers all signals into an Evidence object, derive_verdict() applies deterministic policy on evidence.
• Bare import no longer over-claims submodule reachability — import requests sets submodule_imported=None (unknown) instead of True.
• Commit fetch warnings propagated — GitHub fetch failures now flow into Evidence.external_fetch_warnings and degrade confidence scores.
• Confidence scoring is verdict-directional — package_imported=True boosts REACHABLE confidence but penalizes UNREACHABLE, and vice versa. Same for version_in_range, coverage_seen, submodule_imported.

Fixed

• Python 3.11 f-string syntax error — ditto marks in table grouping used backslashes inside f-strings, which is only valid in 3.12+.
• Linting errors — unused imports, Yoda conditions, non-idiomatic conditionals.
• Duplicate extract_affected_component() call — was computed twice per vulnerability (once in collect_evidence, once in analyze). Now computed once and passed through.
• --offline was a no-op — _query_from_cache_only() was a stub. Now scans cache directory and matches cached vulns to requested packages.
• Version ranges without introduced skipped silently — ranges missing the introduced field were dropped entirely.

Added

• CI/CD exit codes — 0 clean, 1 reachable CVEs found, 2 inconclusive only.
• SARIF 2.1.0 output — --format sarif for GitHub Security tab integration.
• .ca9.toml config file — auto-discovered from CWD upward, sets default CLI options.
• Trivy parser — ca9 check trivy.json now works out of the box.
• pip-audit parser — ca9 check pip-audit.json now works out of the box.
• 42 new tests (205 total).